Medium severity5.9NVD Advisory· Published Jan 19, 2017· Updated May 13, 2026
CVE-2016-5725
CVE-2016-5725
Description
Directory traversal vulnerability in JCraft JSch before 0.1.54 on Windows, when the mode is ChannelSftp.OVERWRITE, allows remote SFTP servers to write to arbitrary files via a ..\ (dot dot backslash) in a response to a recursive GET command.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.jcraft:jschMaven | < 0.1.54 | 0.1.54 |
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- packetstormsecurity.com/files/138809/jsch-0.1.53-Path-Traversal.htmlnvdThird Party AdvisoryVDB EntryWEB
- seclists.org/fulldisclosure/2016/Sep/53nvdMailing ListThird Party AdvisoryWEB
- www.securityfocus.com/bid/93100nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-q446-82vq-w674ghsaADVISORY
- github.com/tintinweb/pub/tree/master/pocs/cve-2016-5725nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2016-5725ghsaADVISORY
- www.exploit-db.com/exploits/40411/nvdThird Party AdvisoryVDB Entry
- www.jcraft.com/jsch/ChangeLognvdRelease NotesWEB
- access.redhat.com/errata/RHSA-2017:3115nvdWEB
- lists.debian.org/debian-lts-announce/2020/04/msg00017.htmlnvdWEB
- www.exploit-db.com/exploits/40411ghsaWEB
- www.oracle.com/security-alerts/cpuApr2021.htmlnvdWEB
- www.oracle.com/security-alerts/cpujan2021.htmlnvdWEB
- www.oracle.com/security-alerts/cpuoct2020.htmlnvdWEB
News mentions
0No linked articles in our index yet.